General

  • Target

    New folder (2).rar

  • Size

    3.7MB

  • Sample

    241103-x1b8ws1lgt

  • MD5

    f8410956c346cd59ed8097e7d9d09fe5

  • SHA1

    7521bd800298e80a97e91c7e9c0814d6d1dcca85

  • SHA256

    49f236dbcde6f32d6573c8d4ca9922b4f9a60a18aacea5c2421d08997ef14a33

  • SHA512

    85f7e5ef7cabc63b6b1797f22f2e25dbfd1f046251258d6bceaf87d231c01f545467ac50a0a0fd2186342dd45fe1bab7077c3fdb61b1f475ff17911a204053d9

  • SSDEEP

    98304:oeRzhLCpeWvgPdVWQO5J9kgMUKqxKB3773C:geWvglMQ9gMUKqwB3q

Malware Config

Extracted

Family

pony

C2

http://209.59.223.57/ponyd/gate.php

http://204.145.80.32/ponyd/gate.php

Targets

    • Target

      0b42c766b056ee3a04b2e0b833c4f42e1520516e047330df3c5640dfcc492232

    • Size

      112KB

    • MD5

      f004f9006a9593085ea7b8137b1a49b0

    • SHA1

      f934c59beed0e2ce22f7e599ca044896891e6b50

    • SHA256

      0b42c766b056ee3a04b2e0b833c4f42e1520516e047330df3c5640dfcc492232

    • SHA512

      a92dd14212f3e2bfcb28367156dcb1812e127f36d7d20000a1f9e2349f9d9cc7576672dbdcbb8bd0834a6eb06ff8ef4b039483c63c3aae5aab7e2aad1b95e345

    • SSDEEP

      1536:nUYy7yep5ACr/BTHVrWRNUFhipHo6JiAXE7ddHQ:Eyep5AKIRTjpE7ddH

    • Target

      11f9bb7186adbefb2633904f1626b20f3f8d0d3ecb98e55a3a81e6a17039786b

    • Size

      270KB

    • MD5

      ff65efde80e228ed8173eccac713994f

    • SHA1

      12f7dd1c7f9cbc49c5c979d3b8d7ee6aa7bde2f4

    • SHA256

      11f9bb7186adbefb2633904f1626b20f3f8d0d3ecb98e55a3a81e6a17039786b

    • SHA512

      04e5d383274a58795e3cf3bac130dfd958f90454e9c08714d344711664bc81dbaa247746261167b596e73d172ca66853b58d6a2539232657b7f3f34af0199dba

    • SSDEEP

      3072:lzJktbbENFvx0HPaeXseTbCbXRVr9j3f0gKvzCrsWdoXz1fm1noSCgcg8Z+6HSGs:lzJktb4NFWbcePCbXtGCYu1no+4y8yz

    Score
    3/10
    • Target

      childmoney.exe

    • Size

      404KB

    • MD5

      71a0eb4f260866a58bb2006bad6d0c06

    • SHA1

      0eec33b6d27fc49422272c4151f22e1733628573

    • SHA256

      e79573b066c38263029bdef41c8fe359018750b67728772ff596e03b96c2fa48

    • SHA512

      fda1ffc4dd7cbbf376901e2540f7311397b0084f59b87e7133112b6bfacc710928235e3254b120123ffc3926190a909e406a0c7e6052ca583fbd7d643f65e27c

    • SSDEEP

      6144:MRUYl1sSFgeDtNmYoRJ1hO9WAJw3FvT2mRjncS0EIhKEeh5lkiTO60JnzCY:qVg8A/OcAuVSEDcJEIAflXWn7

    Score
    3/10
    • Target

      1c281ece6f6be8983f6f858636ddf9169dcb00ec2c0a98d0797bf8d3619cb22a

    • Size

      176KB

    • MD5

      4565b39844ce45f6b6440ce050a7d70c

    • SHA1

      8ff6eeb364a072efedd298d4711ef6069a258107

    • SHA256

      1c281ece6f6be8983f6f858636ddf9169dcb00ec2c0a98d0797bf8d3619cb22a

    • SHA512

      ffa69bf743426a1b6d0fc39b0f9aa2742067414f7aa8cbb355a81a8bdcb8bc7cd42af45689d01ab493bdc61e5ce944999aebe13bf56505ffc77ab46883b39850

    • SSDEEP

      3072:lzJ739yiwUGmuxpbvm5HJCNJxWlnhL8ac7lxJ7wzM9:lzJx/wUGbrLm5HJCRWln18Z7lTMzU

    Score
    3/10
    • Target

      32bb88fa592ba0f338d58730d224728823684134157afe5892f5bbd8c042d54b

    • Size

      270KB

    • MD5

      1d7e40a4a9c7ed251cacfddaea76e43a

    • SHA1

      0efc124633fa9e07385d0cb6ce4c0b45dbbd0c24

    • SHA256

      32bb88fa592ba0f338d58730d224728823684134157afe5892f5bbd8c042d54b

    • SHA512

      ad275a1c5cb6e0ca5e52b3d49a0e8c1ccac0371c0c6923dab65f27f9506e290baae200c8662a827aad93aa48bba9f095eae7d4784b3af68d6fb645a9d4e5f3ea

    • SSDEEP

      3072:+zJktbSENFvx0HPaeXseTbCbXRg9j3f0gKvzCrsWdoXz1fm1noSCgcg8Z+6HSGRv:+zJktbjNFWbcePCbXoGCYu1no+4y8yBA

    Score
    3/10
    • Target

      5056cbe5539d0e171c81451306f2a970b43a6039dd847316a96f24be7b19453d

    • Size

      270KB

    • MD5

      e18de50458a0c1937bd82275c21304cd

    • SHA1

      5d9a28fef0e62b1636ad7a2485168d4955639159

    • SHA256

      5056cbe5539d0e171c81451306f2a970b43a6039dd847316a96f24be7b19453d

    • SHA512

      9e0834f45c0ad266391654c66ee13b8a3d358eb0cb5187df48a56a5e14d96cc0cbe7a773970bbaf290cb71900f0df58ceed8f8562bf74ea3ec9ffd092fbd347a

    • SSDEEP

      3072:lzJktbbENFvx0HPaeXseTbCbXRVr9j3f0gKvzCrsWdoXz1fm1noSCgcg8Z+6HSGo:lzJktb4NFWbcePCbXtGCYu1no+4y8yn

    Score
    3/10
    • Target

      50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869

    • Size

      564KB

    • MD5

      31aa278085c235260fb64311532b1893

    • SHA1

      2fdbb2ad8abdc69d7d4d1115287f3513c31446a1

    • SHA256

      50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869

    • SHA512

      b761774f02c3814d8d965ad4e70a3bda31184abbf3f7293c6885904ca192f9406c27ba4c2f0b9ecc1920534a4a01353a8213f880449aa5aa1dc54bfe80357f2d

    • SSDEEP

      12288:bwla+aTeq8Rg1yVkzES8RZTOy0fl+rsuNkabtW:kM+Z3S1uJSCvCwrsqr

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      57bbc27030a7c47b62aa08d6d05b6c7eee36010246260924ed6b85ff7e53917b

    • Size

      233KB

    • MD5

      bfa8d7e786efd8a037f2dcce4335b4b0

    • SHA1

      87841dc8f57f9b4f364fa719ca520c33677c0d9f

    • SHA256

      57bbc27030a7c47b62aa08d6d05b6c7eee36010246260924ed6b85ff7e53917b

    • SHA512

      8ab214628025e08c2c408bfb53491f5bcfde4e5c78ecb679fa1db262b2f9fdfcebc4a9e3d99cc59fd7c726e3daa38b056c0d19ffaaed203462863fb8544ccaca

    • SSDEEP

      3072:pEjewHbVgiarKbnubRfwl41JA+OKs7uTiuTKx:pEjnHb5B69wCA+OKtTNT

    Score
    3/10
    • Target

      65a84ff98e09a002d01b1c2935ca603125c8ddcb5c5824da9cc60787594a5202

    • Size

      505KB

    • MD5

      cfa33fbbf74e795ec3008aec9f70e3f7

    • SHA1

      9954d9bdcd643ea2a8121f058eb9e30b65439488

    • SHA256

      65a84ff98e09a002d01b1c2935ca603125c8ddcb5c5824da9cc60787594a5202

    • SHA512

      a1805d03d02545424429715177eadd16921d8804d53412e17054c2ac95591b71660be0e33d626fc823c16773a95cbe73efa03a188bb4a1ee97c2645408ec6ee4

    • SSDEEP

      1536:9NhENNo2oa5pHwAVvu0IysOPv3YdI3EpCK+V5iR/yKoDn66XujshkGXE7rFKh:9gN5ogyJ0XgdsEIKlyKo26Jkj7rF

    • Modifies firewall policy service

    • Modifies security service

    • Modifies visibility of file extensions in Explorer

    • Modifies visiblity of hidden/system files in Explorer

    • UAC bypass

    • Windows security bypass

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      6db6ac1ce8f946e0b441c1a1be1b0f094cef331231ae4f9d58b30e3e353145be

    • Size

      148KB

    • MD5

      8fa1825810977b3f875a88de9d757453

    • SHA1

      1d5d3b3cb8312ec72fba34f4d11ca52e212cc88d

    • SHA256

      6db6ac1ce8f946e0b441c1a1be1b0f094cef331231ae4f9d58b30e3e353145be

    • SHA512

      f2da58ab80b8f51ea218ea3f20d414b4532325bde9378c3626ee6b455a863412e6e96da424051f16a320b3ca2d811a4030210adfe5a63bbc19c4196c0327b24c

    • SSDEEP

      3072:KA2hCdFXayYEf4B3UptTDYiYC5p5vWwYn9k:7MCbayFfaeCirpQn9

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      72745efc423d4adb76434360755cfbc3cfe8fa47ba8e5fa2920ada7dc9ceb146

    • Size

      82KB

    • MD5

      6268ccc19622e7148a988efc4597ff87

    • SHA1

      f92a2464269e0a969465f169a2969d3e8b2014f1

    • SHA256

      72745efc423d4adb76434360755cfbc3cfe8fa47ba8e5fa2920ada7dc9ceb146

    • SHA512

      e9ed140e4bd7ba998639667388dfb39cd9843a960086208076d3c10603e1348c5cc95965e91866897e1c10e762a3eff48cc9e1950ce82be82888373d52985844

    • SSDEEP

      1536:VxBqJVw6hRTDS2DO/RJJWVE3NPFcNmTQU95FmJx:Vqo6hFDSd0y3NPoW95FmJ

    Score
    10/10
    • Modifies WinLogon for persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      751fb51baa5a4ed44c9c2bb45b824831914025e87d4d866e5861a38f734d8bfe

    • Size

      256KB

    • MD5

      1ef9ec76a43b0a208704cdca562e84cd

    • SHA1

      d31082243a555a690d5576c9666648f89e673f63

    • SHA256

      751fb51baa5a4ed44c9c2bb45b824831914025e87d4d866e5861a38f734d8bfe

    • SHA512

      18d9cc4109d526f1588129e9fb6f8b8db4601d5e4c1231d9b58440d27f041044551d5da5afb2fefc9bd62be6a90506aa5b4bd29d788e448c7c0c9b3f7ed4b772

    • SSDEEP

      3072:hJNgCPq8kZpStF3BifIYaX2blO3SbPoTBfnl7hAg0FuW92tpItc6mSbMPzKq:RtP7DR4dB1bPoTBPl7hAOwU16mn7

    Score
    10/10
    • Target

      95e95a5be0b57cee969c5d9f616be2e973bc08a77482c75570936faaaaa35063

    • Size

      843KB

    • MD5

      c5dbc01ab92265d4bd1355857989cd09

    • SHA1

      34ead67e09348de35da20bf9de3ec23a78986992

    • SHA256

      95e95a5be0b57cee969c5d9f616be2e973bc08a77482c75570936faaaaa35063

    • SHA512

      4b3406c89a5489690041b904bbdb749785df23ab791835964ac8d58930426f40bf4da33e9f37a18d107a927b1c78197c346633a18a6d82a602483f11c99c1cf5

    • SSDEEP

      12288:qVg8A/OcAuVSEDcJEIAflJqCThplNe5UXrhXJSwgOR9wDqn9SpUtIF2bCpzk94gN:qwBVaOIA0C1H4EhXJS3oIqnDeZzW0Y

    Score
    3/10
    • Target

      a935725900d1ad19b92bcda1c0d612bccccd8bba53dd6e13cabe6d59d7874607

    • Size

      377KB

    • MD5

      0108dd030ff9f1316c885b9df61d3409

    • SHA1

      7a852edb9f3f80b3abf2813db7bb84eecb07e051

    • SHA256

      a935725900d1ad19b92bcda1c0d612bccccd8bba53dd6e13cabe6d59d7874607

    • SHA512

      860a6d464e5b903162d4cb355b8c997dfb2d51cfb015891cde2b5560264a654a4e7b8dd62fa3a3e72f7dd0f22098b554ef34b2621a8a8d78482bd33ec23dbd57

    • SSDEEP

      6144:MRUYl1sSFgeDtNmYoRJ1hO9WAJw3FvT2mRjncS0EIhKEeh5lkh6TF91:qVg8A/OcAuVSEDcJEIAflFN

    Score
    3/10
    • Target

      c19093138028ea6a6a6665e270c36558757931f1d7f6f88910b08e39903a1774

    • Size

      66KB

    • MD5

      682e2024a229429202cb86dff22c7564

    • SHA1

      adffba9e3b0f2f387b9b43793f274aa102df981f

    • SHA256

      c19093138028ea6a6a6665e270c36558757931f1d7f6f88910b08e39903a1774

    • SHA512

      289fdfd7d1e6ff58af8a07df117a93b86777e4a9b4e68c1406a43f85de7ea22be7511795a569b47d790289d8c8e7cc98f64e2f679819009d9293e5d03575ccd7

    • SSDEEP

      1536:iuDxWf9xmOPtwwJcx1BFTor3TE6ReTL0n63huKwX:iusfmSUxC3tRQ0n62X

    Score
    3/10
    • Target

      dafc6c03ef671f66ddbe47e6eee600d2dfa894eee1c1b67d51d3a24532f58e19

    • Size

      190KB

    • MD5

      94b4c54d8b6df1621ac896c7d53ef41e

    • SHA1

      d8a60f72e942db79d83945fdf7788f1b1259260e

    • SHA256

      dafc6c03ef671f66ddbe47e6eee600d2dfa894eee1c1b67d51d3a24532f58e19

    • SHA512

      7450f64bd9af8bfcdeb8f1264dd1dd62b4e22761578c9c64f9bb0fa7da3a982a7eba543ff903a56d941dc6c1a333bc2877cca99e8e12044cb913319a27a966cb

    • SSDEEP

      3072:uKCF8UpK37WQUoBTBn+KQxvuj0XMPI3nFtf8eTFgU3AKOs8q0uyxzdAPLTOGR0/:NCF88KLWhoB9muAXMPneZgU3ALswukdH

    Score
    1/10
    • Target

      e3c6c48ba7d213e5c5c31f43d70dc4ca1709fc29e06883f64487ad049a520b87

    • Size

      34KB

    • MD5

      946a8c16227ad3af210f9fc0dbee211d

    • SHA1

      bb0a6b3ab7b57a23da69a909542874bade4dd2f2

    • SHA256

      e3c6c48ba7d213e5c5c31f43d70dc4ca1709fc29e06883f64487ad049a520b87

    • SHA512

      e64d929917e24597199399a8b3d40925d1fef89f2dd4a8cae6c312cb4fc028cb70fc53e46bf3aea1f36e1eaa5f79901e273ec7a8ff58c780426627a3960b8bd3

    • SSDEEP

      768:l5OkRI7u8xe92wYsPJrL/rOAEbfbbz8Msjd29TBDP:l51RIq2e9lPJvKr0pjwZ

    • Modifies WinLogon for persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      edbb453cc08e8ac79d0c60c0f1ca3803060e8c3a4dd2e2a7b40c50ec3fb0dd46

    • Size

      30KB

    • MD5

      429c70c311b1740241d83b79adde656b

    • SHA1

      0e24796803f081ec6ab3a31e551f32b3754b29ce

    • SHA256

      edbb453cc08e8ac79d0c60c0f1ca3803060e8c3a4dd2e2a7b40c50ec3fb0dd46

    • SHA512

      0c1ac8034648cb895e3832915a797cba2d4d04c63b7b84b96a811109501f017ec61efc8ed37943d5d2f72baa1205e09ff189f670a3d4841abd58b0058bd38be5

    • SSDEEP

      768:0woYMIgddEm5bh53EhSt3lScLJOtfq+X30fF:vdKAW/UUWtfq+X30N

    Score
    5/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b

    • Size

      160KB

    • MD5

      f0949d80cff63963625fcdf1fbb77ca8

    • SHA1

      9e640241e9b3c11af65665d6ebde18d762bf2d2a

    • SHA256

      f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b

    • SHA512

      bc97e3a430a7f7d09acb7dd1ca5cb9d100141371355fab7768155a9265c56777e06de67ffe7b8ad82b762f8306ae64534abc8ad7947b3f0c1e86d6487e5f1f51

    • SSDEEP

      3072:usN4+W+ogJ4i9zgCTwTmYPtZNpVvQVZQUrUMyCZLFJd3:VDTJKzqOuVzAMyOp

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

    • Target

      fda537bc5e4051c8c69491089041df58483e31f410f180c5767901a53a67f9ad

    • Size

      349KB

    • MD5

      08bc9bbddebf41c4efef41aca0d7e2da

    • SHA1

      9920e552c1a68cc766643e2069ed0a3050c2cbdb

    • SHA256

      fda537bc5e4051c8c69491089041df58483e31f410f180c5767901a53a67f9ad

    • SHA512

      4e2c7a7e1a442cefdaf74be6ea66de7d997d54e9c91252711e35261d678be7e3629f119f42798bb22f2d1346eaa13de792c060cf79c8255c7f7175b27b693155

    • SSDEEP

      6144:MRUYl1sSFgeDtNmYoRJ1hO9WAJw3FvT2mRjncS0EIhKEeh5lk/r:qVg8A/OcAuVSEDcJEIAfl6

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

aspackv2upx
Score
7/10

behavioral1

discoveryevasionpersistenceprivilege_escalationtrojan
Score
10/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discoverypersistenceupx
Score
6/10

behavioral8

discovery
Score
3/10

behavioral9

defense_evasiondiscoveryevasionpersistencespywarestealertrojanupx
Score
10/10

behavioral10

ponycollectioncredential_accessdiscoveryratspywarestealer
Score
10/10

behavioral11

discoverypersistence
Score
10/10

behavioral12

discoverypersistence
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

Score
1/10

behavioral17

discoverypersistenceupx
Score
10/10

behavioral18

discoveryupx
Score
5/10

behavioral19

bootkitdiscoverypersistence
Score
7/10

behavioral20

discovery
Score
3/10